0

How would you guys go about implementing something like this? I use Laravel as an API only. We have other framework where the login was implemented where it saves an httpOnly cookie (sessionId) after the user logs in. That's the main framework. We're migrating away from that old framework (Zend).

With the sessionId sent to Laravel from, say, a JS frontend, I'm able to lookup the current user based on the sessionId. That sessionId is then used to query the session database. I've created a middleware called "CheckForCurrentUser.php":

[..]

public function handle(Request $request, Closure $next)
{
    // The reason for this is that the OPTIONS (request) does not include the cookie in the request.
    $method = $request->method();

    // SESSIONID is the name of the cookie created from the main framework
    // once a user is logged in.
    // SESSIONID is an exception in EncryptCookies.php
    $sessionId = request()->cookie('SESSIONID');
    
    if ($method === 'POST' && $sessionId !== '') {
        // This function is only to get the logged in user id from the session database
        $userId = $this->notImportantFunction($sessionId);

        if ($userId) {
            // User id found so make current user for this Laravel API
            Auth::loginUsingId($userId);
        } else {
            // Instructs the frontend to let user log back in.
            return abort(401);
        }
    }

    return $next($request);

}

To recap, a user cannot authenticate from this Laravel application nor can I send an authentication token. They logged in from another framework. Laravel has access to the main framework databases.

This setup works. Using use Illuminate\Support\Facades\Auth; I use that as the "current user" in any controller/model.

Kernel.php looks something like:


[..]

protected $middleware = [
    
    [..]

    \App\Http\Middleware\CheckCurrentUser::class,

    [..]
];

Before I go any further, is that how you'd implement something like this? It does work (ish) but I do not get the SESSIONID unless I check for a POST request.

I do not like this setup. I'm now using lighthouse and having issues using both the @auth and @inject directives. This is due to how I authenticate a use with Laravel so sorting how I authenticate a user should sort Lighthouse. Any tips on how to refactor this the right way? My routes are with /api/some-string

Lighthouse is not the issue. Should I send a authentication header, Lighthouse works. I believe Laravel does something behind the scenes with it sees a token in the header. I cannot send an authentication. I can only rely on the cookie. It's httpOnly so I have no access to that from JavaScript.

Sylar
  • 11,422
  • 25
  • 93
  • 166
  • What do you mean, sorry? That sessionId was not from Laravel. – Sylar Mar 29 '21 at 18:14
  • I think your approach is totally ok. However, Laravel also provides some possibilities to handle your case, have a look here: https://laravel.com/docs/8.x/authentication#closure-request-guards – Tschitsch Mar 29 '21 at 18:31
  • @Tschitsch Thanks. I'll have a look at this. – Sylar Mar 29 '21 at 18:34
  • @Tschitsch yup! Works like a charm! Thank you very much. Lighthouse also works as it should. I can safely delete that custom middleware. – Sylar Mar 29 '21 at 19:32

0 Answers0